when an app is registered in azure ad, to give permission to the app, we can grant consent to an application's delegated permissions on behalf of all the users in your tenant by clinking "Grant Permissions" button. How to undo this permission once it is given? Or, it can't be undo from azure portal once it is clicked? I am confused as it is always of same color and always ask "Do you want to grant...." dialog and "No" doesn't undo the action.
3
votes
2 Answers
1
votes
As @Shwan Tabrizi said, you can refer to the blog's way to remove the app from Enterprise Application.Because once you click Grant Permissions bottom, the app will be auto added into Enterprise applications and assign permissions to user. You can also choose which user to remove permission as following steps:
1.Sign in to the Azure portal with an account that's a global admin for the directory.
2.Select More services, enter Azure Active Directory in the text box, and then select Enter.
3.On the Azure Active Directory - directoryname blade (that is, the Azure AD blade for the directory you are managing), select Enterprise applications.
4.On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5.On the Enterprise applications - All applications blade, select an app.
6.On the appname blade (that is, the blade with the name of the selected app in the title), select Users & Groups.
7.On the appname - User & Group Assignment blade, select one of more users or groups and then select the Remove command. Confirm your decision at the prompt.
4
votes
Revoking Tenant Wide Consent can be done through the Azure Portal.
See here: Revoking Consent for Azure Active Directory Applications
Using the Azure Portal to Remove Tenant Wide Consent
If you are a tenant administrator, and you want to revoke consent for an application across your entire tenant, you can go to the Azure Portal. Whether it be for a bunch of users who individually consented or for an admin who consented on behalf of all the users, by simply deleting the application’s service principal, you will remove all delegation entries (the object used to store consent) for that application. Think about removing the service principal like uninstalling the application from your tenant.
You could delete the service principal a bunch of different ways like through Azure Active Directory PowerShell or through the Microsoft Graph API, but the easiest way for the average administrator is right through the Azure Portal.
Navigate to the Enterprise Applications blade in the Azure portal:
Then click “All Applications” and search for the application you want to revoke consent for:
When you click the application, you will be brought to an “Overview” section, where a tempting button called “Delete” will be at the top. Before you click this button, you might want to take a peak at the “Permissions” section to see the types of consent that was granted to this application:
Once you feel confident that you want to delete this application, go back to “Overview” and click “Delete”!
Viola! The app and all consent associated with that app is now gone.
There are some screenshots included in the actual blog post.
I hope this helps!
